Security

Privilege Account Management Solution Evaluation

For as long as I’ve been in IT professionally, users have been local administrators on their machines.  Time and time again, history has proven this approach undermines what might otherwise be successful IT strategies to improve an organization’s security posture.  Introducing a change requires addressing some facts:

Fact: Users do not need admin rights to accomplish day to day tasks.
Fact: Users have grown accustomed to having certain privileges on their machines
Fact: Some legitimate changes initiated by users do require elevated rights
Fact: Bears eat beets.  Bears.  Beets.  Battlestar Galactica.

Fortunately there are a sea of Privilege Account Management or Privilege Management solutions out there to control elevation rights eliminating the need to give users administrative rights.

I do want to highlight that although our research was done a few years back, the underlying concepts and organizational requirements continue to serve as the core framework for any future Privilege Management solutions we evaluate for implementation.

Executive Summary

Adhering to the principle of least privilege allows the day to day user to continue to work efficiently without interruption while introducing several desirable benefits including but not limited to:

  • Cost Savings – Successful vulnerability exploits often result in lost time, intellectual property, productivity, brand value and customers’ trust. System instability results in lost productivity. Lack of license compliance can result in unbudgeted expenses not to mention costly fines.
  • Regulatory Compliance – When users have administrator rights they can change system settings, which affect compliance to regulatory standards. Failure to meet standards can result in more audits and remediation work.
  • System Stability – When a user adds a new piece of software, installs a driver, or changes a setting, the stability of the system is affected.
  • Threat Protection – Running software with reduced privileges can mitigate a majority of software vulnerabilities that take advantage of the privileges of the running user.
  • License Compliance – When users have full control over what is installed on their computers, there is nothing to prevent them from intentionally or unintentionally using unlicensed software.

Vendor Identification

We identified the following five vendors (listed alphabetically) based on many factors including feature set, product maturity, industry reputation, community feedback and perceived position in the marketplace.

Avecto

Avecto is a leader in Windows privilege management, helping organizations to deploy secure and compliant desktops and servers. With its Privilege Guard technology, organizations can empower all Windows based desktop and server users with the privileges they require to perform their roles, without compromising the integrity and security of their systems.

BeyondTrust

BeyondTrust offers a complete Privileged Account Management (PAM) portfolio and was one of the first products on the market in this area. BeyondTrust has a worldwide presence with a large market share in the US of which banking and securities and retail organizations make up a significant share of the company’s customers.

Bit9+CarbonBlack

Bit9+Carbon Black offers a solution for advanced threat protection for endpoints and servers. Combined, it helps organizations protect themselves from advanced threats in two critical ways: by reducing their attack surface through new signature-less forms of prevention, and rapidly detecting and responding to threats.

Centrify

Centrify Privilege Management allows administrators to manage privilege globally across windows, Linux and UNIX. It is a flexible, highly granular privilege management solution that allows users get work done, reduces risks and makes implementing a least-privilege approach easy with role-based access controls.

ViewFinity

Viewfinity’s privilege management suite bolsters administrators’ ability to control user privileges on corporate desktops, helping to eliminate one of the biggest security holes on today’s enterprise networks: risky activities on corporate desktops that occur inside the firewall. Viewfinity is a suite of integrated management tools that simplify the processes involved in privilege management, enabling administrators to more effectively protect PCs from unauthorized use and providing granular control over who can do what on servers and endpoints across the enterprise.

Success Criteria

We designed designed a scoring system based on key areas of interest:

  • Solution deigned with mobility in mind (up to 15 points)
  • Application control/features (up to 15 points)
  • Experience in the legal vertical (up to 10 points)
  • Reputation and footprint by way of endpoint count (up to 10 points)
  • Client components (up to 5 points)
  • Implementation options (up to 5 points)
  • Considerations for VDI environments (up to 10 points)
  • Depth and breadth of reporting (up to 10 points)
  • Ease of use & management (up to 10 points)
  • Integrations with existing technology (up to 5 points)
  • Innovation (up to 5 points)

In addition, there were specific features and scenarios we were looking to cover in the demos:

  • Details of the elevation process (e.g.: token based)
  • Handling of products not explicitly whitelisted/blacklisted
  • Capable of elevating ActiveX controls
  • Whether or not it was offered some sort of sandboxing technology
  • Data aggregation and correlation
  • Level of customization for user facing elements

Vendor Reduction

After reviewing each product and comparing notes we decided the following vendors were not best suited for our particular requirements.

BeyondTrust:

  • The SaaS/Web solution for a mobile workforce, it wasn’t as easy to use as Avecto and Viewfinity.
  • Insignificant presence in the legal vertical.

Bit9 + Carbon Black:

  • Lack of a method for elevating the execution of processes. Users would not be able to install applications, even those approved to be installed.
  • Core focus is application whitelisting (i.e.: whether or not a process can execute) versus allowing process that require elevation to elevate automatically based on a ruleset.

Centrify:

  • Application control functionally was not nearly as robust as their competitors.
  • Product is best suited for environments where Mac’s are deployed
  • PAM is only part of a much larger product versus the primary focus of the product.
  • Lack of an appreciable presence in the legal vertical.

I want to be clear:

  • These were not bad solutions by any means.
  • They just didn’t meet enough of our core requirements for us to move forward to the next phase.
  • Also, again, this being a fairly dated review, it’s quite possible things have changed since we originally evaluated them so do your due diligence.

Reference Checks

We received a list of references from both Avecto and ViewFinity, setup calls and included those findings for consideration in our recommendation.

Avecto

  • The “best of breed” and innovative solution compared to other products on the market.
  • Integration with existing A/V and HIPS solutions allowing for centralized management and reporting
  • Able to easily workaround special handling scenarios needed for certain users and applications.
  • Support has been great, fast turn around for critical issues and the product is well documented.
  • Successful implementations not just from the IT perspective but also from the user perspective as it was completely transparent.
  • Works as designed and is easy to work with.

ViewFinity

  • Smooth transition from another competitors on-prem solution to ViewFinity’s hosted solution.
  • SaaS solution works well, delivers updated configuration to clients faster than GPO
  • No issues they couldn’t work through or around.
  • Works well for a highly mobile workforce
  • Support is responsive with no gaps in communication
  • Easy and straightforward to use with little ongoing management required

Pilot Result

We tested each solution for one month at a time on our primary systems (aka our daily driver machine).  Although they were both different, there were a lot of similarities that carried over between each product.

ViewFinity

  • Only vendor with a completely separate SaaS/Web PAM solution and we were impressed with it.  Viewfinity seems to better understand the differences of a mobile user and their Saas/Web product is solely built for a mobile population.
  • Established presence in law firms of significant size
  • Has grown substantially in install count and product maturity over the past few years.

Avecto

  • Has a mechanism to distribute updates, but it’s built on a traditional group policy based management delivery approach.
  • Appears to be the strongest and fastest innovator the PAM vertical.
  • Had features in product that Viewfinity didn’t have yet.

These findings were then added to our success criteria.

Final Score

Before I reveal the results, I want to point out a few very important items:

  1. This review took place a few years ago so I imagine that each of the products mentioned here have matured for the better since then and that there may be new players in this space.
  2. Both solutions are very solid products, each with their own set of features that clearly distinguished it from the other in a few key categories.
  3. We ultimately did not move forward with either product because of a change in strategic initiatives.

Having said that we said we gave:

  • Avecto: 79 out of 100
  • ViewFinity: 81 out of 100

From a scoring perspective, the difference was almost negligible and after some discussion we made a recommendation to move forward with one vendor.  However, it was not solely based on the numerical score but on, what I feel is, an oft overlooked point:  The level of expertise of the vendor’s technical lead assisting with the implementation.  Their technical lead driving these demos and Q&A’s demonstrated a deep level of understanding and was able to think and respond quickly when in ‘uncharted territory’; atypical use cases, examples etc.  After putting each vendor through the ringer, one gave us the confidence that they would be able to assist us in meeting the our objective to make this a successful implementation.

Closing Thoughts

This was probably one of the more fun projects we took on and some part of me was disappointed we didn’t move forward with any of the recommended products.  But on the other hand, after removing local Administrator rights and implementing Microsoft’s Local Administrator Password Solution (LAPS) we learned that we really didn’t need a solution to achieve our primary objective.

I’m eager to hear from others who are in the process of implementing – or have just implemented – a PM/PAM solution, so please let me know in the comments.

 

Good Providence!

PSA: Disabling Bluetooth via PowerShell in Response to BlueBorne

Please note that nearly all of the machines in our environment are on Windows 10 so this is written with that in mind.

With the recent news about BlueBorne:

It’s been an interesting day!

Since Bluetooth is generally enabled in our environment, one school of thought is to reduce the attack surface by disabling Bluetooth across the board, then re-enable where necessary as some users have Bluetooth keyboards, mice and other peripherals.

There were two approaches:

  • Disable it in the BIOS (more on that later)
  • Disable it in Device Manager

Since the latter was more universal, and I’ll explain my perspective on that, I slapped together something basic to disable Bluetooth devices on the system.  I haven’t tested it extensively but on all of my Lenovo ThinkPad laptops, it’s worked without issue.

Disable-Bluetoothv1


Function Disable-Bluetoothv1
    {
        foreach($BTDevice in $(Get-PnpDevice -FriendlyName '*bluetooth*' -Status OK -ErrorAction SilentlyContinue))
            {
                if(Get-PnpDevice -FriendlyName $BTDevice.FriendlyName -Status OK -ErrorAction SilentlyContinue)
                    {
                        try { Disable-PnpDevice -InstanceId $BTDevice.InstanceId -Verbose -Confirm:$false -WhatIf }
                        catch { Write-Output "ERROR DISABLING [$($BTDevice.FriendlyName)] @ [$($BTDevice.InstanceId)]:`r`n$_" }
                    }
            }
    }

Disable-Bluetoothv2


Function Disable-Bluetoothv2
    {
        foreach($BTDevice in $(gwmi -Class Win32_PnPEntity | ? { (($_.Caption -like '*bluetooth*') -or ($_.Description -like '*bluetooth*')) -and $_.Status -eq 'OK' }))
            {
                if(gwmi -Class Win32_Pnpentity -Filter "Caption='$($BTDevice.Caption)' AND Status='OK'")
                    {
                        try { Invoke-WmiMethod -InputObject $BTDevice -Name 'Disable' -Verbose -WhatIf }
                        catch { Write-Output "ERROR DISABLING [$($BTDevice.Caption)][$($BTDevice.Description)] @ [$($BTDevice.DeviceID)]:`r`n$_" }
                    }
            }
    }

Both work and I personally don’t have a preference.  It’s really just a tomato tomahtoe / potaytoh potato / six of one half dozen of another type situation.

Also, be sure to remove the -WhatIf parameter if you decide to use it!

So here’s what my Lenovo laptop looked like before:

BTBefore

And here’s what it looks like after:

BTAfter

Good Providence and be safe out there!

If You’re Paranoid, Remove TeamViewer

So, naturally, this is in response to the recent allegations that TeamViewer has been hacked…

While TeamViewer hasn’t admitted to having been breached, and although what they’ve suggested is completely plausible, one thing is clear: What has been reported thus far doesn’t give me the warm and fuzzy … so I’m going to play it safe for now.

I put together a script to remove TeamViewer from not only ma own machines, but also from the machines of friends and family I often support.  I’ve run this on Windows 7+ and so far it works as expected.  If you run into an issue, let me know and I’ll do what I can to troubleshoot asap.

Also

  1. If you’re not using a password manager or are still using easy to remember passwords or are recycling/reusing passwords across multiple sites;
  2. If you’re not using two-factor authentication (2FA)

You really should reconsider.  Check yourself out on https://haveibeenpwned.com/ to see what accounts may have been compromised in a data breach and take the necessary precautions.

This needs to be run from an elevated PowerShell console or ISE.

# Define TeamViewer Installation directory array for use below
$arrTVInstallDirs = @()

# Define TeamViewer Uninstaller EXE's for use below
$arrTVUninstallers = @()

# Get TeamViewer Install Directories for both architectures
$arrTVInstallDirs += gci $env:ProgramFiles *TeamViewer*
if($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') { $arrTVInstallDirs += gci ${env:ProgramFiles(x86)} *TeamViewer* }

# Loop through each 'TeamViewer' directory for EXE's and kill those processes
foreach($TVInstallDir in $arrTVInstallDirs)
    {
        write-host "Processing TVInstallDir [$($TVInstallDir.FullName)]"
        Foreach($TVEXE in $(gci -Path $($TVInstallDir.FullName) -Recurse *.exe))
            {
                if($TVEXE.Name -eq 'uninstall.exe') { $arrTVUninstallers += $TVEXE }
                write-host "Killing Process [$($TVEXE.Name)]"
                Stop-Process -Name $($TVEXE.Name) -Force -ErrorAction SilentlyContinue
            }
    }

# Stop Team Viewer services
Foreach($TVService in $(Get-WmiObject -Class Win32_Service -Filter "Name like '%TeamViewer%'"))
    {
        # Stop Service
        write-host "Stopping Service [$($TVService.Name)]"
        $TVService.StopService() | Out-Null

        # Disable Service
        write-host "Disabling Service [$($TVService.Name)]"
        If($TVService.StartMode -ne 'Disabled') { Set-Service -Name $TVService.Name -StartupType Disabled | Out-Null }

        # Delete Service
        write-host "Deleting Service [$($TVService.Name)]"
        $TVService.Delete() | Out-Null
    }

# Loop through the uninstallers
Foreach($TVUninstaller in $arrTVUninstallers)
    {
        $PSI = New-Object -TypeName 'System.Diagnostics.ProcessStartInfo' -ErrorAction 'Stop'
        $PSI.Arguments = '/S'
        $PSI.CreateNoWindow = $false
        $PSI.FileName = $TVUninstaller.FullName
        $PSI.UseShellExecute = $false
        $PSI.WindowStyle = 'Normal'
        $PSI.Verb = 'runas'

        $Proc = New-Object -TypeName 'System.Diagnostics.Process' -ErrorAction 'Stop'
        $Proc.StartInfo = $PSI

        write-host "Uninstalling TeamViewer [$($TVUninstaller.FullName)]"
        if($Proc.Start() -eq $true)
            {
                write-host "Uninstall started - waiting for it to finish..."
                $Proc.WaitForExit()
                Do { $Proc.Refresh(); Start-Sleep -Seconds 3 } while($Proc.HasExited -ne $true)
                if($Proc.ExitCode -eq 0) { write-host "Uninstall completed successfully! [$($Proc.ExitCode)]" -ForegroundColor Green }
                else { write-host "ERROR: Uninstall completed WITH ERRORS [$($Proc.ExitCode)]" -ForegroundColor Red }
            }
            else { write-host "ERROR Failed to start uninstall [$($TVUninstaller.FullName)] [$($Proc.ExitCode)]" -ForegroundColor Yellow }
    }

 

Good Providence and be safe!